Re: [CentOS] echo 0> /selinux/enforce

On Wed, Nov 6, 2013 at 9:23 AM, Daniel J Walsh dwalsh@redhat.com wrote:

SELinux blocks "confined" processes, but usually does not block the administrator who is running as unconfined_t, and is allowed to do everything he could do if SELinux was disabled.

Confined processes are targeted to system services. Stuff that is started at boot versus processes started by a logged in user.

Is there a way to configure things so tomcat or other java web containers can unpack the war files used for code deployment and compile/cache jsp code on the fly but not be able to write anything else (like from the several instances of struts vulnerabilities)?